General description

Information Security in Industry has matured in
the last few decades. Standards such as ISO17799, the Common
Criteria, a number of industrial certification and risk analysis
methodologies have raised the bar on what is considered a good
security solution from a business perspective.

Yet, if we compare Information Security with
Networking or Empirical Software Engineering we find a major
difference. Networking research has introduced concepts such as
Quality of Service and Service Level Agreements. Conferences and
Journals are frequently devoted to performance evaluation, QoS and
SLAs. Empirical Software Engineering has made similar advances.
Notions such as software metrics and measurements are well
established. Processes to measure the quality and reliability of
software exist and are appreciated in industry.

Security looks different. Even a fairly
sophisticated standard such as ISO17799 has an intrinsically
qualitative nature. Notions such as Security Metrics, Quality of
Protection (QoP) or Protection Level Agreement (PLA) have surfaced
in the literature but still have a qualitative flavour. The "QoP
field" in WS-Security is just a data field to specify a
cryptographic algorithm. Indeed, neither ISO17799 nor ISO15408
(the Common Criteria) addresses QoP sufficiently. ISO17799 is a
management standard, not directly concerned with the actual
quality of protection achieved; ISO15408 is instead a product
assessment standard and yet does not answer the question of how a
user of a product assessed by it can achieve a high QoP within
his/her operational environment. Both standards cover just one
aspect of an effective QoP and even the combination of both would
not address the aspect sufficiently. "Best practice"
standards, such as the baseline protection standard published by
many government agencies, also belong to the category of standards
that are useful, but not sufficient, for achieving a good QoP.

Security is different also in another respect. A
very large proportion of recorded security incidents has a non-IT
cause. Hence, while the networking and software communities may
concentrate on technical features (networks and software),
security requires a much wider notion of "system",
including users, work processes, organisational structures in
addition to the IT infrastructure.

The QoP Workshop intends to discuss how security
research can progress towards a notion of Quality of Protection in
Security comparable to the notion of Quality of Service in
Networking, Software Reliability, or Software Measurements and
Metrics in Empirical Software Engineering.

The QoP Workshop will be a one day workshop
co-located with ESORICS,
the European Symposium on research in security and privacy and
will be held in Milano (Italy) on the 12-14 of September 2005 and
METRICS,
the 11th IEEE International Software Metrics Symposium METRICS
2005 in Como (19-22 Sep).